How to add CA certificates to a SolarQube instance deployed using docker-compose?

I am facing a very similar problem to the one described here - our SonarQube instance refuses to connect to our self-managed instance of Gitlab (which uses a self-signed certificate).

The answer provided by Colin in the original thread seems to be pointing in the right direction, but unfortunately did not allow me progress on the issue because it does not contain sufficient details.

Since our SonarQube deployment is based on docker-compose, I suppose this is an additional complicating factor.

Therefore, could anyone please advise how do I “adjust the truststore to add the certificate” in a “truststore that Java uses” for a SonarQube instance deployed using docker-compose? Naturally, in a way that is persistent across container restarts.

Hi @m2427 and welcome to the community :wave:

did you already create a truststore as documented here: Install the Server | SonarQube Docs

If so you can just create a bind mount using compose like this:

version: "3"

services:
  sonarqube:
    image: sonarqube:community
    depends_on:
      - db
    environment:
      SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
      SONAR_JDBC_USERNAME: sonar
      SONAR_JDBC_PASSWORD: sonar
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_logs:/opt/sonarqube/logs
      - /path/to/your/truststore:/usr/lib/jvm/java-11-openjdk/lib/security/cacerts:ro
    ports:
      - "9000:9000"
  db:
    image: postgres:12
    environment:
      POSTGRES_USER: sonar
      POSTGRES_PASSWORD: sonar
    volumes:
      - postgresql:/var/lib/postgresql
      - postgresql_data:/var/lib/postgresql/data

volumes:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_logs:
  postgresql:
  postgresql_data:

hope that helps :slight_smile:

1 Like

Thank you @DefinitelyNotTobi, your answer helped me progress past the “PKIX path building failed” error.

I missed the “Self Signed Certificates of DevOps platforms” part of the installation instructions FAQ - shame on me :expressionless: To my defense, searching the SonarQube documentation for “self-signed” yields no results.

Of course, immediately after I got stuck on another SSL certificate error (from what I understand so far, connected with the fact that the Gitlab-generated certificates do not have the subjectAltName field populated) - but, I suppose, this is a story for another thread.

1 Like